Security device for online transaction

ABSTRACT

The invention concerns a security device ( 10 ) for online transaction between a service provider equipped with a computer ( 15 ) and operator equipped with a computerized station comprising a display ( 16 ) and a keyboard ( 18 ). The device essentially comprises: a signal receiving element ( 22 ) designed to be pressed against said display ( 16 ) for receiving a signal coming from said computer ( 15 ), said signal being processed to generate a code, and communication means ( 24 ) to provide the operator with access to said code. It further comprises a biometric sensor ( 26 ) adapted to acquire data concerning the operator, and a locking and unlocking member arranged between the signal receiving element ( 22 ) and the communication means ( 24 ), the code being accessible only in case of conformity between the read fingerprint and the stored imprint.

The present invention pertains to security devices, of the type of thoseintended for identifying a partner and/or ensuring the integrity of acommunication during an online transaction, for example on the Internetnetwork. Such devices are particularly useful during purchases by e-mailor for paying for services such as the issuing of licenses or theordering of documents.

A device of this type is described in document U.S. Pat. No. 5,136,644.It takes the form of a box comprising a microcontroller, aphotosensitive sensor formed of three in-line phototransistors andintended to be applied against a screen, for example a computer screen,so as to receive a coded optical signal, a keyboard making it possibleto forward a message, a display whereby the information received by thedevice or the information to be sent by means of the keyboard isrendered accessible, and a link with a station, for example a computer,a television screen or a telephone terminal.

The signal is analyzed by the device and an access code, obtained byprocessing the information contained in the signal with the program ofthe microcontroller, is displayed by the screen. This code is then typedin on the keyboard, to afford access to a site or a payment order.

Such a device requires means of linking with the station, that has to betailored for this purpose. Moreover, the configuration of thephotosensitive sensor limits the flow of information transmitted inoptical form to a maximum of a few hundred bits. Beyond this, the timerequired for transmission exceeds 2 to 3 seconds, beyond which time thewait becomes disagreeable and the stability of the device is difficultto ensure.

Document U.S. Pat. No. 5,432,851 relates to an access control systemcalling upon a computer furnished with a screen and with a keyboard, anda control device comprising a photoelectric sensor making it possible toreceive a signal through the screen, an electronic circuit forprocessing the signal, a display as well as a memory containinginformation allowing decryption of the signal, so as to generate anaccess code rendered accessible by means of the display.

This document says nothing vis à vis the photoelectric sensor. At thevery most, it may be construed as suggesting that it could be formed ofa single component, the information being addressed by a succession oflight and dark dots at a point of the screen. The transmission speedwould then be still lower than in the device described above.

An operator can access the information contained in the computer or inanother computer, these being networked, by entering this code by meansof the keyboard, the transmission of the information being performed inan encrypted and hence safer manner. However, the risks of illicit usein case of theft, or of dispute by the bearer, cannot be eliminated.

Stated otherwise, it is possible to prevent a code being stolen, owingto the fact that it changes with each intervention. Moreover, the devicecan be used with computers of any type, even in a public place, withoutany risk of the code used thereby being appropriated. On the other hand,in case of theft of the device itself, access to the information is nolonger secure. The aim of the present invention is to alleviate thisdrawback.

Document WO 87/03977 relates to a control system serving as key, forcontrolling access to a computer, by information exchange, in particularby means of a photoelectric sensor. It comprises a box carrying thesensor and in which is housed control electronics. In one variant, it isenvisaged that a biometric sensor, capable of being used, apparentlyinstead of the information exchange process, be associated with thephotoelectric sensor.

The device according to the invention is therefore intended to ensuresecure online transactions between a provider of services and anoperator, and to be used by the operator with a station of computer typecomprising a screen and a keyboard, and linked at least mediately with acomputer managed by the provider, the link being interactive. Thisdevice comprises:

-   -   a signals reception facility devised to receive a signal        originating from the said computer,    -   a read only memory, in which a program for analyzing the signal        and a decryption program are recorded,    -   a read only memory of programmable type known by the name PROM        or EPROM for example, in which information specific to the        operator may be recorded,    -   a microprocessor for implementing these programs and for        carrying out the processing and the decryption of the signal        received by the signals reception facility and for transforming        it into a code, and    -   communication means for rendering the code accessible to the        operator.

It is characterized in that it comprises, in addition, a biometricsensor to capture data relating to the operator and a locking/unlockingfacility disposed between the signals reception facility and thecommunication means, in that the read only memory comprises a programfor processing the data originating from the biometric sensor, and inthat the microprocessor is devised so as to:

-   -   implement the processing program so as to generate an        information item from the data captured by the biometric sensor,    -   compare the information item thus obtained with the information        contained in the read only memory of programmable type,    -   order the locking/unlocking facility in case of conformity,    -   transmit the code to the communication means so as to render it        accessible to the operator, so as to allow him to enter it by        means of the keyboard and transmit it to the computer, with a        view to authorizing the transaction.

Admittedly it is known, through documents U.S. Pat. No. 6,213,403 and DE41 25 198 in particular, to call upon biometry in the field of security.Document U.S. Pat. No. 6,213,403 describes a credit card furnished witha fingerprint reader and with a connector making it possible to link thecard to a terminal making it possible to read the information emanatingfrom the card and to send this information to the service provider'scomputer. Such a solution therefore requires complementary means whichare not necessarily available. Moreover, they involve electricalcontacts whose reliability may be problematic. Moreover, the volume ofinformation to be transmitted is sizeable in order to allow safeidentification of the operator and thus be able to differentiate himfrom all the other registered customers.

The apparatus described in document DE 41 25 198 comprises a memory inwhich information is stored and a biometric sensor allowing or notallowing access to the information in memory. This solution is proposedas an alternative to the inputting of a code.

Stated otherwise, none of the documents mentioned above describes adevice allowing information exchange with a remote computer calling upona minimum of information to be transmitted while guaranteeing thesecurity offered by a device of biometric type, in contrast to thedevice according to the invention. This advantage is obtained by virtueof the fact that the biometric sensor orders the unlocking of thecommunication means allowing the linkup with the computer with which thedevice is communicating.

In the device according to the invention, the data corresponding to themorphology of the operator are placed in memory in its programmable typeread only memory, so that the identification of the individual iseffected by the device itself. It is thus not necessary to have hisprint recorded by the central computer. Problems relating to theprotection of data relating to individuals can thus be avoided.

Advantageously, the signals reception facility is a sensor ofphotoelectric type, the communication means are formed of a displaycell, and the biometric sensor is devised so as to read a fingerprint.

Good working conditions may be obtained with a photoelectric sensorformed of a matrix of photoelectric cells whose pitch is at least twiceas small as that of the matrix of dots that emanates from the signaloriginating from the computer and is displayed on the screen. An optic,advantageously formed of a convergent lens, is disposed in front of eachof the photoelectric cells, so as to bring about the convergence of thelight originating from only a portion of the screen, this portion beingsmaller than one of the dots of the matrix of dots.

Other advantages and characteristics of the invention will emerge fromthe description which follows, given with regard to the appendeddrawing, in which:

FIG. 1 shows a security device according to the invention, in theenvironment allowing its deployment,

FIG. 2 is a logic diagram of the device according to the invention, and

FIG. 3 represents a flowchart relating to the manner of operation of thedevice.

FIG. 1 represents, diagrammatically, a security device 10 according tothe invention, disposed in a computing environment calling upon acomputer comprising more particularly a central processing unit 12linked to a modem 14 for allowing a link to a network such as theInternet and, through the latter, to a service provider computer 15, ascreen 16 and a keyboard 18, that are likewise linked to the centralprocessing unit 12.

A portion of the screen 16 displays a rectangular zone formed of analternation of black and white dots, defining a binary matrix structure16 a, whose origin and function will be explained in greater detailhereinbelow, as well as two markers 16 b intended to allow thepositioning of the device 10 on the screen 16.

The device 10 takes the form of a card, advantageously of the customaryformat for credit cards, and comprising a plastic plate 20, forming asupport and defining the surround of the device and part of which hasbeen cut away so as to reveal the components integrated therein. Thesecomponents are a sensor 22 ensuring a signals reception facilityfunction, visible on the rear face of the plate 20, a display cell 24and a biometric sensor 26 that are visible on the front face of theplate 20, and control electronics 28 integrated into the plate 20. Thesensor 22 can be supplemented with an infrared detector and/or an RFIDreceiver, that are often available with modern computers and which alsoplay the role of signals reception facility.

These components are powered by an electrical energy source, notrepresented in the drawing, which may be a battery or a set ofphotoelectric cells powering an accumulator or a capacitor.

The sensor 22 is formed of a matrix of photoelectric cells 22 a ofsimilar type to those used in videocameras, having a pitch around two tothree times less than the pitch of the matrix structure 16 a, each cellcomprising a microlens for focusing the light originating from a smallerportion of the screen 16 than a dot of the matrix structure 16 a. It islinked to the control electronics 28.

The display cell 24 is of liquid crystal type, making it possible todisplay at least six digits, advantageously up to ten digits or letters.

Both the sensor 22 and the cell 24 are of a make that is standard to theperson skilled in the art and exhibit no particular characteristic.

The biometric sensor is of the type marketed by the firm Infineon AG(Stuttgart, Germany) under the name “FingerTIP”, or described in patentU.S. Pat. No. 6,069,970. This type of sensor can be housed in a veryrestricted space and consumes little energy while allowing an individualto be identified from a fingerprint. It requires, furthermore, modestcomputing means, as will be apparent later.

As shown by FIG. 2, the control electronics 28 comprises amicroprocessor 30 and a memory 32 linked to the microprocessor in such away as to allow an exchange of information between them. Themicroprocessor 30 receives information from the photoelectric sensor 22and from the biometric sensor 26, and transmits orders to the displaycell 24.

The microprocessor 30 is devised to perform three types of operations,i.e.:

-   -   analysis of the information originating from the biometric        sensor 26 which, in case of positive result, instructs a        time-delayed unlocking that authorizes the other functions;    -   decryption of the information received by the sensor 22; and    -   control of the display 24 on the basis of the information        obtained during decryption.

These operations are performed in conjunction with the programs and theinformation stored in the memory 32. The latter comprises a first part32 a, nonvolatile or read only, in which are recorded the controlprograms for the microprocessor 30, of type generally known by the nameROM memory, and a second part 32 b, formed of a programmable read onlymemory, for example of the PROM type, that is to say that can beprogrammed once and in which there is information specific to the deviceand to its operator, referring on the one hand to decryption, on theother hand to biometry. It would also be possible to use a memory ofEPROM type, that is to say one allowing reprogramming under certainconditions.

For a proper understanding of these operations, the description willfirstly detail the manner of operation of the device, then the controllogic applied by the microprocessor 30.

Before being able to be used, the device must be initialized. A programis entered into the memory 32 b, from the computer 15. This programmakes it possible to generate, from the information received by thesensor 22, a numerical or alphanumeric code, typically from 6 to 10signs. It must be possible for the same operation to be carried out bythe computer 15, when it is invoked, as will be detailed later.

The device must, furthermore, record one or two fingerprints of theoperator who alone will subsequently be empowered to use the device. Thelatter is then ready to be used.

When the operator wishes to call upon a service catered for by thecomputer 15, he begins by linking the central processing unit 12 to thecomputer, through the modem 14, according to the customary procedures,by giving his identity, for example by means of an input code of thetype called a PIN code.

In parallel with this, he triggers the device 10, it being possible forthe triggering to be done by simple exposure to light when the energysource is formed of photoelectric cells, then he applies, to thebiometric sensor 26, the finger whose print is recorded. The print ofthe finger applied is read and processed by the microprocessor 30 andthe information obtained is compared with that recorded in the memory 32b. If the comparison leads to a match of the shapes, then themicroprocessor 30 interrogates the photoelectric sensor 22.

If the energy source is formed of photoelectric cells, the device willadvantageously comprise a capacitor whose capacitance makes it possibleto cater for the peaks in consumption corresponding to the periodsduring which the control electronics 28 are heavily invoked.

The device 10 is subsequently applied against the screen 16, alignedwith the markers 16 b, in such a way that the sensor 22 is opposite theimage 16 a. Since the pitch of the matrix of the photoelectric cells 22a of the sensor 22 is two to three times less than that of the dotmatrix displayed by the image 16 a, several neighboring cells receivethe same information item. Through a proximity analysis, it is possiblefor the microprocessor 30 to reconstruct the image 16 a and, thereby itsbinary equivalent. This equivalent is processed by the decryptionprogram of the microprocessor 30, so as to obtain the code which isdisplayed on the display cell 24.

If the communication is effected with an interface of infrared or RFIDtype for example, the information is obtained directly and returned in abinary manner.

It then remains for the operator to enter this code by means of thekeyboard 18 into the central processing unit 12 and, through the modem14, to forward it to the computer 15, which compares it with thereference one. Should there be a match, the computer then allows thetransaction.

Hence, the computer 15 knows with certainty the individual with whom itis linked up, through the combination of the biometric lock and of thedecryption device. Moreover, the operator can be certain that it willnot be possible for his card to be used by another individual, even incase of loss or of theft.

It goes without saying that the device is devised in such a way that thecontent of the memory 32 b is made secure, stated otherwise that itscontent cannot be read or reproduced. This can be done in a manner wellknown by the person skilled in the art, by the application of meansknown as “tampering proof”.

In cases where the code is relatively short, it could be possible for anindividual not having a device according to the invention to connect upto the computer 13 and, when the image 16 a appears, to send a randomcode that gives him access to the computer 15, in an unauthorizedmanner. Such misuse can be eliminated by demanding two successive codes.

FIG. 3 represents a flowchart of the programs applied by themicroprocessor 30. The first operation 34 consists in triggering thedevice. The operator's print is subsequently read at 36, then comparedwith the information in the memory 32 b. If the comparison arrives at anegative result, the device is, without further ado, stopped, asrepresented at 40. If the response is positive, a timer is set going at42 and the microprocessor 30 processes the information gathered by thesensor 22 and decrypts it at 46, to obtain the access code. The latteris subsequently forwarded at 48 to the display 24 to render itaccessible to the operator.

Stated otherwise, the microprocessor 30 acts as a locking/unlockingfacility, disposed between the photoelectric sensor 22 and the displaycell 24, and allowing the reading of the code only if the print read bythe sensor 26 conforms to the information in the programmable read onlymemory 32 b.

When the time delay has elapsed, which is of the order of a minute, thedevice is stopped, as indicated at 40.

The device according to the invention can form the subject of numerousvariants. The number of dots making up the matrix 16 a can varyconsiderably as a function of the security that one wishes to have inthe communication.

The matrix of dots can be replaced by an image, colored or otherwise,the microprocessor then being provided with a program allowing analysisthereof. The means of communication could also be formed with a soundsource, and this would make it possible, for example, for a person withimpaired vision to profit from the advantages of the device.

The reading of a fingerprint is particularly simple and effective. Itwould also be possible to apply the same method to other parts of theoperator's body, for example to the iris of the eye.

The applications of this device are numerous. In addition to electroniccommerce, it can also be used with apparatus of bank bill dispensers,the reading screen and the control dial sufficing for communication withthe computer 15. They may also cater for a voter card function, foraccomplishing acts such as an electronic ballot by Internet network, oreven an identity card function, or be associated with a passport.

It is also possible to operate access to confidential information storedin a computer, but without having to go via a modem. In this case, thecomputer 15 is linked directly to the screen 16 and to the keyboard 18.

It is of course understood that the device comprises a random accessmemory, of RAM type for example, which has not been described, forstoring information currently being processed.

1. A security device for online transaction between a service providerfurnished with a computer and an operator furnished with a station ofcomputer type, wherein the operator computer station comprising a screenand a keyboard is linked at least mediately and in an interactive mannerwith said service provider computer, said security device comprises: asignals reception facility devised to receive a signal originating fromsaid operator computer station; a first read only memory of programmabletype, in which a program for analyzing the signal and a program fordecryption are recorded; a second read only memory of programmable type,adapted to record information specific to the operator; a microprocessorfor implementing said programs and for carrying out the processing andthe decryption of an encrypted signal received by the signals receptionfacility, by means of the information contained in the memory, and fortransforming it into a code; communication means for rendering said codeaccessible to the operator; a biometric sensor devised to capturebiometric data from the operator; a locking/unlocking facility disposedbetween the signals reception facility and the communication means;wherein said first read only memory of programmable type comprises aprogram processing program for processing the biometric informationoriginating from the biometric sensor; wherein said signals receptionfacility is a photoelectric sensor and said communication means are adisplay cell; and wherein said microprocessor is devised to implementthe processing program to generate an information item from thebiometric data captured from the operator by said biometric sensor, tocompare the information item with the information previously stored inthe second read only memory of programmable type, to order thelocking/unlocking facility in case the comparison leads to a match, totransmit said code to the communication means to render it accessible tothe operator, to allow the operator to enter said code by means of thekeyboard and transmit it to said service provider computer, with a viewto authorizing said transaction.
 2. The security device as claimed inclaims 1, wherein said biometric sensor is devised so as to read afingerprint.
 3. The security device as claimed in claim 1, configured toread the signal originating from the computer station displayed on thescreen in the form of a matrix of dots, wherein the photoelectric sensoris formed of a matrix of photoelectric cells, whose pitch is at leasttwice as small as the pitch of the matrix of dots, and of an opticdisposed in front of each of said cells to bring about the convergenceof the light originating from only a portion of the screen, whichportion is smaller than one of said dots of the matrix.
 4. The securitydevice as claimed in claim 3, wherein said optic is formed of aconvergent lens.
 5. The security device as claimed in claim 3, whereinsaid optic is formed of a convergent light guide.
 6. The security deviceas claimed in claim 1, configured to read the signal originating fromthe computer station displayed on the screen in the form of a matrix ofdots, wherein the screen display comprises markers outside the displayedmatrix of dots for adjusting the position of the device andphotoelectric sensor thereof against the screen.
 7. The security deviceas claimed in claim 1, configured to read the signal originating fromthe computer station displayed on the screen in the form of a matrix ofdots, wherein the photoelectric sensor is formed of a matrix ofphotoelectric cells having sensitive zones arranged such that they aresufficiently separated to match the different dots on the screen whenthe device is held on the screen.
 8. The security device as claimed inclaim 7, wherein the screen display comprises markers outside thedisplayed matrix of dots for adjusting the position of the device andphotoelectric sensor thereof against the screen.